A ransomware attack targets Windows system administrators by using Google advertisements to promote fraudulent download sites for Putty and WinSCP. WinSCP and Putty are popular Windows applications; WinSCP is an SFTP and FTP client, while Putty is an SSH client.
System administrators typically have more rights on a Windows network, making them prime targets for threat actors looking to quickly propagate over a network, steal data, and get access to a network's domain controller to deliver ransomware.
According to a recent Rapid7 report, a search engine campaign featured adverts for fake Putty and WinSCP websites when users searched for download winscp or download putty. It's unclear whether this promotion took place on Google or Bing.
These advertisements employed typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the real one. PuTTY's official website is at https://www.chiark.greenend.org.uk/~sgtatham/putty/.
These sites include download links that, when clicked, may either redirect you to legitimate websites or download a ZIP archive from the threat actor's servers, depending on whether you were sent by a search engine or another site in the campaign.
The downloaded ZIP packages contain two executables: Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll, a malicious program.
When the pythonw.exe programme is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL with a malicious version loaded via DLL Sideloading.
When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and implements an encrypted Python script.
This script will eventually install the Sliver post-exploitation toolkit, which is a popular tool for gaining access to corporate networks. Rapid7 claims the threat actor utilised Sliver to remotely deploy other payloads, including Cobalt Strike beacons. The hacker utilised this access to steal data and try to install a ransomware encryptor.
While Rapid7 provided little specifics about the ransomware, the researchers say it is comparable to campaigns detected by Malwarebytes and Trend Micro, which used the now-defunct BlackCat/ALPHV ransomware.
"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," stated Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”